mainframe [z/os] reverse engineering and exploit development · not going into •cics •tso/e...
TRANSCRIPT
mainframe [z/OS] reverse engineering and exploit development
Chad RikansrudDirector, North AmericaRSM Partners
how important?
•87% of global payments – $8 trillion value•29 billion ATM transactions - $5 billion annually•4 billion passenger flights annually•30 billion total transactions daily•Big numbers – break it down
• $8 Trillion (4 commas) GDP: U.K. + France + India + Brazil
• 919 ATM transactions/second - $158/second
• 7,610 Passenger flights/minute
• 347,222 Total transactions/second – 8.5x > Google
• It’s important
not going into
• CICS
• TSO/e
• Datasets
• ESM (RACF, TSS, ACF/2)
• see loads of other talks, presenations and content by:• myself• @mainframed767• @ayoul3__
changing cpu state
problem(subset of instructions)
supervisor(all the instructons)
MODESET -> SVC107 -> LCTL CR03 -> 00C0
PSW mode and storage key protection
• supervisor vs problem state• PSW – program status word (summary of system flags, settings, EIP)• basically - some vs all CPU instructions
changing access storage key
non - zero(r/w limited to same key)
00(r/w all the memory)
MODESET -> SVC107 -> LCTL CR03 -> 00C0
PSW mode and storage key protection
• supervisor vs problem state• PSW – program status word• basically - some vs all CPU instructions
• storage (memory) key• 0-15 – PSW current storage key• PSW key must match (or be 0) storage key
how it works in z/os
• system startup processes (IPL)• supervisor by design
• SVC / PC (privileged system calls)• SVC – supervisor call• PC – program call
• APF authorized library list• static and dynamic list of libraries (folders)
authorized program facility list (apf)SYS1.LINKLIB
SYS1.LPALIB
USER.LIBRARY1
PGM.LIBRARY1
PGM.LIBRARY2
if you can edit this list, or update one of these libraries:game over}
poorly written SVC or PC
untrusted parameters
source parm address:
0x81FF3C0 KEY 8
read or writew/o using
source or dest keydest return
address:0x8FF3F03 KEY 0
CALL
RETURN
buffer overflows
return address
jump address
error routine
critical data
input datapgm variable
pgm variable
pgm variable
pgm variable
program read w/o bounds
checking
allocated pgm storage overflowed storage
intentional backdoors
actionType
secretCode
jumpAddress
saveArea
programparameters check sekrets
good sekret?
console error
yesno
input
black hat sound bytes
•mainframe is just another computer• it isn’t COBOL• it pretty much runs the financial infrastructure of the planet• oh, and also the airlines, government and healthcare• the security posture could be good, but isn’t yet•most vulnerabilities work here, with some variation• get a pentest, assessment at least annually
reading - info
• Vulnerability patterns on z/OS(http://events.share.org/Summer2017/Public/SessionDetails.aspx?FromPage=Speakers.aspx&SessionID=3401&nav=true&Role=U%27)
• z/Architecture Principles of Operations(https://www-01.ibm.com/support/docview.wss?uid=isg2b9de5f05a9d57819852571c500428f9a)
• z/XDC Debugger(http://colesoft.com/zxdc/)
Contact Info:Chad RikansrudDirector, N.A. [email protected]@bigendiansmalls